######################################################### This is the main config file for dehydrated ## ## This file is looked for in the following locations: ## $SCRIPTDIR/config (next to this script) ## /usr/local/etc/dehydrated/config ## /etc/dehydrated/config ## ${PWD}/config (in current working-directory) ## ## Default values of this config are in comments ########################################################## Resolve names to addresses of IP version only (curl).# supported values: 4, 6# Default: <unset>#IP_VERSION=# Path to certificate authority.# Default: https://acme-v01.api.letsencrypt.org/directory#CA="https://acme-v01.api.letsencrypt.org/directory"CA="https://acme-staging.api.letsencrypt.org/directory"# Path to license agreement.# default: https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf#LICENSE="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"# Which challenge should be used? Currently http-01 and dns-01 are supported.#CHALLENGETYPE="http-01"CHALLENGETYPE="dns-01"# Path to a directory containing additional config files, allowing to override# the defaults found in the main configuration file. Additional config files# in this directory needs to be named with a '.sh' ending.# Default: <unset>#CONFIG_D=# Base directory for account key, generated certificates and list of domains# Default: $SCRIPTDIR -- uses config directory if undefinedBASEDIR="/etc/dehydrated"# File containing the list of domains to request certificates for.# Default: "$BASEDIR/domains.txt"#DOMAINS_TXT="${BASEDIR}/domains.txt"# Output directory for generated certificates.# Default: "${BASEDIR}/certs"#CERTDIR="${BASEDIR}/certs"# Directory for account keys and registration information.#ACCOUNTDIR="${BASEDIR}/accounts"# Output directory for challenge-tokens to be served by webserver or deployed in# HOOK# Default: "/var/www/dehydrated"WELLKNOWN="/var/lib/dehydrated"# Default key size for private keys.# Default: "4096"#KEYSIZE="4096"# Path to OpenSSL configuration file# Default: <unset> - tries to figure out system default.OPENSSL_CNF="${BASEDIR}/openssl.cnf"# Program or function called in certain situations## After generating the challenge-response, or after failed challenge (in this# case altname is empty). Given arguments:# clean_challenge|deploy_challenge# altname# token-filename# token-content## After successfully signing certificate. Given arguments:# deploy_cert# domain# path/to/privkey.pem# path/to/cert.pem# path/to/fullchain.pem## BASEDIR and WELLKNOWN variables are exported and can be used in an external# program.# Default: <unset>HOOK="/usr/local/lib/pdns_api.sh/pdns_api.sh"# Chain clean_challenge|deploy_challenge arguments together into one hook call# per certificate# Default: "no"HOOK_CHAIN="yes"# Minimum days before expiration to automatically renew certificate.# Default: 30#RENEW_DAYS="30"# Regenerate private keys instead of just signing new certificates on renewal.# Default: "yes"PRIVATE_KEY_RENEW="no"# Which public key algorithm should be used?# Supported: rsa, prime256v1 and secp384r1# Default: "rsa"#KEY_ALGO="rsa"# E-mail to use during the registration.# Default: <unset>#CONTACT_EMAIL=CONTACT_EMAIL=webmaster@example.net
# Lock-file location, to prevent concurrent access.# Default: $BASEDIR/lockLOCKFILE="/var/run/dehydrated.lock"# Option to add CSR-flag indicating OCSP stapling to be mandatory.# Default: "no"OCSP_MUST_STAPLE="yes"# PowerDNS API settings for the hook script.# Default:HOST=ns0.example.net
# Default:PORT=8081# Optional. Defaults to 8081# Default:KEY=secret # API key# Default:SERVER=localhost # Optional. Server for the API to use, usually `localhost`# Default:VERSION=1# Optional. API version, 0 for anything under PowerDNS 4# Default:WAIT=150# Optional. Delay for when slaves are slow

Postfix SMTP server and Dovecot IMAP server both don’t do OCSP stapling, or
maybe just my mail client Thunderbird doesn’t or other MX don’t. I don’t know exactly, but the fact remains: SMTP and IMAP Connections to the mail server fail with an OpenSSL error message “alert bad certificate: SSL alert number 42”.

Since we configured Dehydrated to request certificates with the x.509 extension
“OCSP must staple”, they will not work with connecting clients if the server
does not staple. We therefore make an exception in the Dehydrated configuration:

Private keys must be carefully protected, thats why in most cases the private
key files are owned by the root user and have strict file permissions, to not
allow access to anyone else. Most servers start with root privileges to open IP
ports lower then 1024 and read their certificate and private keys. They lower
their privileges after that and run under their own dedicated user and group.

Some servers (e.g. Prosody) have a different approach. Their user profile is
part of the ssl-cert group. The ssl-cert group is given read access to private keys and certificate files. That way such a server never needs to be started or run with root privileges to begin with.

Dehydrated does not currently allow read-acccess to the ssl-cert group.